Cyber Security Awareness and Resilience of Dutch citizens

Leiden University

Institute of Security and Global Affairs Crisis and Security Management

Cyber Security Awareness and Resilience of Dutch citizens

Master thesis by Tessa Oomen

s1740768

Supervisor: Dr. Bibi van den Berg Second reader: Drs. Sergei Boeke 11 January 2017

Page 1 of 91

Master Thesis

Cyber Security Awareness and Resilience of Dutch citizens

Keywords

Cyber security, awareness, resilience, citizens, vulnerability, cyber threat, cyber protection measures.

Colophon

This research is a preliminary study for the iCARe initiative and is essential for completion of the master Crisis and Security Management of Leiden Univesity.

Leiden University Campus The Hague Turfmarkt 99 2511 DV The Hague Thesis supervisor: Dr. B. van den Berg Second reader: Drs. S. Boeke Author: T.A.P. Oomen Student number: s1740768 Email: t.a.p.oomen@umail.leidenuniv.nl

Page 2 of 91

Foreword

Before you lies the master thesis “Cyber security awareness and resilience in Dutch Citizens”, which was written as part of my graduation process for the master study Crisis and Security Management at Leiden University. The research process was coordinated by Dr. van den Berg, with the assistance of Drs. Hutten.

Together with Dr. van den Berg and Drs. Hutten, I decided the direction of my thesis and the design for my research methods. Further development and completion of the study was conducted independently.

I wish to thank Dr. van den Berg and Drs. Hutten for giving me this opportunity and for their trust in me. My gratitude also goes out to Drs. Boeke, for being my second reader. Additionally, I would like to thank my colleagues at Leiden University for welcoming me into the team and providing a stimulating work environment.

And last, but not least: special thanks go out to my partner, my fellow master students, friends, and family. Their never-ending support gave me strength.

Tessa Oomen

Page 3 of 91

Executive summary

The cyber security domain is subject to constant (technological) development. Humans are often considered to be the weakest link in the cyber security chain, and therefore need knowledge and skills to become secure in the cyber domain. Previous efforts from the Dutch government may not have been sufficiently effective, as citizens need to initiate the search for information Previous efforts from the Dutch government may not have been sufficiently effective, as citizens need to initiate the search for information. In contrast to this, iCARe, proposes to send commissioned teams to visit citizens in order to check their awareness and resilience regarding cyber security. This thesis is a preliminary study for iCARe in order to find out whether citizens are open to such a method.

To that end, this thesis starts by reviewing the current existing literature on cyber security and how cyber security can be defined, which vulnerability factors for cyber security risks exist, currently relevant cyber security threats, and the necessary protection measures. The literature review showed that:

 Cyber security can be defined as the protection of ICT systems, the information stored on or transmitted by these systems, and the humans and their interests who make use of these systems and/or information.

 Vulnerability factors relate to technical deficiencies, but also to risky behaviour, a lack of knowledge or awareness of cyber security, a perceived high skill related to cyber security, and other factors such as level of education.

 Relevant cyber threats for Dutch citizens are: malicious software (malware), payment fraud, social engineering, data breaches, network attacks, and cyber bullying.

 Necessary cyber protection measures are: regularly installing updates and patches, using secure Wi-Fi connections, implementing adequately configured firewall software, having (updated) antivirus software, using a password protocol, and making regular backups of personal data.

Next, by using interviews, preliminary findings on personal cyber security and citizens’ perspective on receiving help from their local government are collected. The findings of these interviews were then used as input for the questionnaire that was sent out. This questionnaire led to the following results:

 A high perception of one’s personal cyber security skills seems to have a relationship with becoming a victim to cybercrime.

Page 4 of 91

 In general, respondents did not change their online behaviour after becoming a victim of cybercrime. While respondents who did not become a victim believed they would change their behaviour.

 The majority of the respondents are aware of the protection measures outlined in this thesis, and have mostly implemented these measures. However, the results also indicate that improvements can be made.

 Respondents wish to receive help with their cyber security management and are curious about how adequate their level of cyber security is.

 With regards to receiving help from their local government, respondents have mixed feelings. They are generally positive about receiving help from an external person. However, would a local government representative come at their door, respondents would fear that their personal information would be used for other ends besides helping citizens with their cyber security.

To conclude, most of the respondents had some understanding of cyber security and which measures they should employ. However, multiple respondents admitted to not practicing, what would be considered, cyber secure behaviour. iCARe should focus on the fine line between perceived cyber security skill and actual cyber security levels, and on measures such as: password storage, firewalls, use of public Wi-Fi, making backups, and restarting devices. Furthermore, it is important that iCARe communicate their intentions clearly when visiting people’s homes to help them with employing said measures.

Page 5 of 91

Table of contents

Executive summary ... 3 Table of contents ... 5 Table of figures ... 6 1 Introduction ... 8

2 Methodology: literature review ... 10

3 Literature review ... 11

3.1 Cyber ... 11

3.2 Defining cyber security ... 12

3.3 Cyber security risks ... 13

3.4 Vulnerabilities ... 13

3.5 Cyber threats ... 18

3.6 Protection measures ... 24

3.7 Government efforts to increase cyber security of Dutch citizens ... 26

3.8 Concluding the literature review ... 27

4 Methodology: field research ... 30

4.1 Research plan and procedure ... 30

4.2 Respondents ... 31

4.3 Materials and instruments ... 31

4.4 Processing the results ... 32

5 Results ... 33

5.1 Interviews ... 33

5.2 Questionnaire ... 33

6 Conclusion and discussion ... 59

6.1 Conclusion for the questionnaire ... 59

6.2 Limitations ... 62

6.3 Possibilities for future research ... 62

7 Bibliography ... 64

Appendix A. Questions for interviews ... i

Appendix B. Example results of interviews ... ii

Appendix C. Questionnaire ... x

Page 6 of 91

Table of figures

Figure 1: Ages of respondents ... 34

Figure 2: Highest completed level of education ... 35

Figure 3: Time spent online (hours per day during personal time) ... 35

Figure 4: Overview of devices used by respondents to go on the internet ... 36

Figure 5: The percentage of respondents owning devices with connection to the internet ... 37

Figure 6: Recoded completed highest level of education ... 38

Figure 7: Previous victimization recoded into three categories ... 38

Figure 8: Bar chart for Previous victimization and Level of education ... 39

Figure 9: Redestribution of reported hours spent online per day ... 40

Figure 10: Previous victimization for each defined group of ‘time spent online’ ... 40

Figure 11: Perceived personal cyber security skill of respondents ... 42

Figure 12: Prevalence of victimization for each group of defined perceived skill ... 42

Figure 13: Response distribution for feeling in control of access to online personal data ... 43

Figure 14: Redistribution for feeling in control of access to online personal data ... 44

Figure 15: Previous victimization and perception of control over personal data on the internet 44 Figure 16: Reported behaviour change after becoming a victim of a cybercrime ... 45

Figure 17: Expected behaviour change after becoming a victim of a cybercrime ... 45

Figure 18: Responses to recognising a secure website ... 46

Figure 19: Responses to recognising secure e-mails and attachments ... 46

Figure 20: Percentages of respodents who report to not clicking random links ... 47

Figure 21: Reported frequency of restarting devices ... 47

Figure 22: Reported frequency of making backups ... 48

Figure 23: Reported Wi-Fi security at home ... 48

Figure 24: Reported use of secured or non-secured public Wi-Fi points ... 49

Figure 25: Reported use of a firewall ... 50

Figure 26: Reported use of antivirus software ... 50

Figure 27: Reported frequency of installing patches and updates ... 51

Figure 28: Reported use of repeated passwords ... 52

Figure 29: Reported combination of characters used in passwords ... 52

Figure 30: Reported use of password storage per method ... 53

Figure 31: Respondents’ views on receiving a 'check' on respondents' cyber security situation . 54 Figure 32: Respondents’ responses to receiving help with cyber security at home ... 54

Figure 33: People respondents would want help from ... 55

Page 7 of 91

Figure 35: The groups that receiving help from the local government would be best for,

according to respondents ... 56 Figure 36: Respondent's reported attitude to receiving help from their local government ... 57 Figure 37: Reliability of a representative making a house visit, according to respondents ... 57 Figure 38: Perceived impracticallity of receiving house visits by local governmnet

representatives ... 58 Figure 39: Perception of likelihood that personal information will be used for other purposes

Page 8 of 91

1 Introduction

The computer industry and cyber security as a field of study are continuously developing. Cyber-attacks are becoming more advanced, computers and information systems are more often the target of crimes, and actors partaking in cyber-criminal activities are becoming more knowledgeable and effective (NCSC, 2016; Europol, 2016; TNS, 2016, p. 3; Von Solms & Van Niekerk, 2013, p. 98; De Cuyper & Weijters, 2016, p. 5).

A wide range of actors can pose a risk on the cyber domain, each with their own set of goals and choice of targets. These actors can be, but are not limited to, states, professional criminals, (h)acktivists, or ‘normal’ citizens (Europol, 2016; NCSC, 2016). Their goals relate to monetary gain, boosting political power, spreading political or religious messages, or creating social disorder through disrupting critical infrastructure. Victims can be other governments, private organizations, or citizens (NCSC, 2016). Key threats consist of malware, online child sexual exploitation, payment fraud, social engineering, data breaches and network attacks, attacks on critical infrastructure, identity theft, cyber stalking and cyber bullying, and many more (Europol, 2016; Leukfeldt et al., 2013; CBS, 2015; Reyns & Henson, 2016; White & Carmody, 2016; Festl & Quandt, 2013; NCSC, 2016).

However, not all threats are intentional and part of cyber security is limiting threats of accidental nature, most often caused by human failure (TAG, 2010; Casesa, 2016). It is often argued that humans are the weakest link in the cyber security chain (Abawajy, 2012) and it has become clear that citizens need more knowledge and skills to be secure online (Kritzinger & Von Solms, 2010; Dinev, Goo, Hu & Nam, 2009, p. 392; TNS, 2016, p. 3; Kumar, Mohan & Holowczak, 2008). In 2015, 11.1% of Dutch citizens reported to have been a victim of a cybercrime (CBS, 2015). In response to these developments, the Dutch national government has implemented several initiatives in the past in an attempt to improve cyber security levels of citizens in the Netherlands. One example is the campaign ‘Alert Online’ (see https://www.alertonline.nl). Such initiatives were designed as a top-down campaign, where the government informs the citizens from a distance.

Researchers from Leiden University propose a more direct method of improving cyber security awareness and resilience of citizens. Under the name ‘iCARe’, which stands for improving citizens’ cyber security awareness and resilience, the reseachers want to implement local initiatives, supported by local area governments, to raise cyber security awareness and resilience in citizens. The central idea is sending commissioned neighbourhood teams door-to-door. These teams can test and help improve cyber security related measures of citizens.

Page 9 of 91

This thesis is written as a preliminary study within the iCARe initiative and the aim is threefold: (1) to explore what citizens in the Netherlands know about cyber security and threats (awareness), (2) to identify which cyber security related measures they personally employ (resilience), and (3) to discover how they wish to receive help in raising their cyber security (awareness and resilience) level by the local government (or possibly other parties) through a strategy such as iCARe proposes. The main research question is therefore: “How do citizens in the Netherlands manage their cyber security and how would they prefer to receive assistance from Dutch local governments?”. The following sub-questions will help answer the main research question and give direction to the research methods to be used:

1. What is the definition of cyber security? 2. What constitutes a cyber security risk?

3. Which cyber threats exist and which cyber threats are relevant for Dutch citizens? 4. Which factors increase vulnerability of citizens to cyber threats?

5. How can citizens protect themselves from (future) cyber security threats?

6. How has the Dutch government previously tried to improve cyber security awareness and resilience in Dutch citizens?

7. How do citizens in the Netherlands manage their cyber security (related activities)? 8. Do citizens in the Netherlands wish to receive assistance from Dutch local governments?

a. If so, how?

Chapter 2 describes the methodology used for the literature review and how sources were selected. Chapter 3 provides an overview of the results from the literature review: the definition of cyber security, vulnerability factors, cyber threats, and protection measures. Chapter 4 consists of an introduction of the field research and of the methodology applied for data collection and analysis. The results for the field research are presented in chapter 5. Chapter 6 concludes the thesis with the overall conclusion and discussion of the whole study and the outcomes.

Page 10 of 91

2 Methodology: literature review

For this thesis, a literature review is conducted in order to evaluate existing knowledge about cyber security, cyber risks, vulnerabilities, threats, and protection measures in the cyber domain. The literature review was of explorative as it existing knowledge in (mostly) academic literature, on cyber security, as well as on how people fall victim to cyber threats and how they could protect themselves. The results of the literature review were used for the design of the field research. The subquestions that are answered through the literature review, are:

1. What is the definition of cyber security? 2. What constitutes a cyber security risk?

3. Which cyber threats exist and which cyber threats are relevant for Dutch citizens? 4. Which factors increase vulnerability of citizens to cyber threats?

5. How can citizens protect themselves from (future) cyber security threats?

6. How has the Dutch government previously tried to improve cyber security awareness and resilience in Dutch citizens?

The literature review started with an examination of the suggested literature by Drs. Boeke, for the course Governance of Cyber Security at Leiden University. The relevant articles provided insight into the definition of cyber security and provided links for additional sources, such as the CCDCOE and the US Joint Chiefs of Staff.

In order to find suitable academic literature for the other subquestions, the Leiden University library’s database were used. When requests provided no relevant results, the key terms were run through Google Scholar’s database. While gathering sources, the added value for this study and their relevance was continuously tested to the subquestions. The used key terms were: definition of cyber security, cyber risk, cyber vulnerability, cyber threat, cybercrime, cyber protection measures, victimization cyber domain,

As the cyber domain is continuously developing, recent sources were critical for the success of this thesis. As such, only sources from 2011 until 2016 were involved. A few exceptions were made: (1) when the source’s relevance was exceptional, (2) when the source’s information was confirmed by recent sources, or (3) when the source has no date, but the provider is a specialist or organization in the field of cyber security (such as Google Support, Symantec, and Cisco). For data and statistics on the prevalence on cyber security related incidents and citizens, it was necessary to find results for the Netherlands, as this thesis focuses on Dutch citizens. Key terms were (in Dutch): CBS, statistieken, cijfers, cyber criminaliteit, cyber slachtofferschap.

Page 11 of 91

3 Literature review

‘Cyber security’ has developed as an all-encompassing term for “ways of protecting computer systems against threats” (Cambridge Business English Dictionary, n.d.; Von Solms & Van Niekerk, 2013). However, this definition does not convey the full extent of the meaning of the term, and its relevance to today’s society (Boyes, 2015; Von Solms & Van Nieker, 2013). Therefore, this chapter starts with a discussion of the concept of ‘cyber’ and ‘cyber security’. After providing a definition for cyber security, it is described how risks in the cyber domain are built up, which is followed by an assessment of possible vulnerabilities, threats, and protection measures. The chapter ends with a short description of previous measures by the Dutch government to improve cyber security of citizens.

3.1 Cyber

Before delving into the definition of cyber security, exploration of the concept of ‘cyber’ takes precedence. According to the Cambridge dictionary, cyber means “involving, using, or relating to computers, especially the internet”. Cyber as a prefix finds its origin from cybernetics, which is “the interdisciplinary study of the structure and flow of information in self-regulating communication systems (technical, social, or biological), e.g. issues of feedback and control within organizational communication” (Chandler & Munday, 2011).

From this statement it can be concluded that cyber relates to a broader scope of technology than just computers. In fact, all (technological) systems that carry or broadcast information can be considered a part of cyber space, or the cyber domain, or the cyber arena (Cankaya, 2015). “Cyber space is a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers” (US Joint Chiefs of Staff, 2010, p. 92).

Since ‘cybernetics’ was first coined by Weiner in 1948, cyber as a prefix cannot be considered entirely new (Warner, 2012). The same goes for cyber security. From the 1960s to the 1990s, the realization that computers and related systems could be threatened came into existence and cyber security became more and more relevant. The insights developed first from knowing that computers can leak data and therefore require guarding, to the possibility that computers can be attacked and data can be stolen, and subsequently to the notion that computers can be used for attacks and could be integrated in military strategy. The last notable insight is that others may have realised this as well, and may already using these insights against their enemies (Warner, 2012, p. 782).

Page 12 of 91

3.2 Defining cyber security

Security as a whole has been an ambiguous concept since its first formulation and is expected to remain so (Baldwin, 1997) and the same goes for cyber security. For example, the NATO Cooperative Cyber Defence Centre of Excellence states on their website (CCDCOE, n.d.; https://ccdcoe.org) that “there are no common definitions for cyber terms – they are understood to mean different things by different nations/organisations, despite prevalence in mainstream media and in national and international organisational statements”.

In academics, the most notable effort to define cyber security is published by Von Solms and Van Niekerk (2013), though it is highly similar to the CCDCOE’s framework for conceptualizing a national cyber security strategy from 2012. Von Solms and Van Niekerk feel that the general understanding of cyber security is more in line with the definition of information security (Von Solms & Van Niekerk, 2013, p. 97) and they stress the importance of uncoupling three concepts that are interconnected: IT and ICT security, information security, and cyber security.

Security of Information (and Communication) Techonology (IT or ICT) relates to hardware or other technology-based sytems. These systems have information stored on them, or they can transmit or receive information to transmission from other systems (Von Solms & Van Niekerk, 2013, p. 98).

Information security pertains to the process of “ensuring the confidentiality, integrity and availability of information” (Von Solms & Van Nieker, 2013, p. 97). These three characteristics are also known as the CIA triad and are believed to be central to information security (Boyes, 2015, p. 29). However, this triad has since been expanded on by Parker (as referenced by Boyes, 2015) to encompass authenticity, utility, and possession, and has been named the “Parkerian hexad” (Boyes, 2015, p. 29). Thus, information security focuses on the protection of information from events such as theft or corruption, but by extension, also the systems on which the information is stored or sent to. Finally, in both ICT and information security, the human factor is included in the process of securing ICT or as a threat to ICT (Von Solms & Van Niekerk, 2013, p. 97).

Information security and cyber security are often used interchangeably. However, if that were possible, it would mean that cyber security relates only to safeguarding information and the systems on which the information is stored (or transmitted to/from) and that humans form either a threat to security or are a part of installing security measures (Von Solms & Van Niekerk, 2016, p. 99). Yet, the introduction already showed that there are many threats that do not relate to just attacks on ICT (disruption of critical infrastructure) or attacks related only to information (malware); cyber security includes the concept of humans as a victim, as is the case

Page 13 of 91

with cyber bullying or stalking. Thus, what extends the definition of cyber security above IT/ICT and information security is the fact that humans do not just take part in the security process or as a possible threat to ICT, but can also be considered a target of cyber security attacks.

Cyber security can therefore be defined as the protection of IT or ICT systems, the information stored on or transmitted by these systems, and the humans and their interests who make use of these systems and/or information (Von Solms & Van Niekerk, 2013, p. 101).

3.3 Cyber security risks

Apart from understanding what the concept of cyber security means, it is important to clarify what constitutes a risk for cyber security, how risks differ from threats, and how vulnerabilities and protection measures come into play.

Risks can be defined numerically, by multiplying probability of an incident by the (expected) impact such an incident may have (Van den Berg & Van Zoggel, 2014). However, for the purpose of this thesis, the numeric definition has little value. A more descriptive way to define risk is when there exists a “potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability” (TAG, 2010).

For the cyber domain, assets are IT or ICT, information, and humans. Vulnerabilities are factors that result in a weakness or a gap in protection efforts and threats are any action or event that exploits a vulnerability, either intentionally or accidentally (TAG, 2010). Therefore, cyber security risks exist when there is a chance that IT/ICT or information face destruction, damage or loss, or when humans sustain damage as a result of misuse or corrupt information.

This chapter further explores the vulnerabilities that increase the chance of being at risk of cyber threats, then will continue with the most relevant threats in the cyber domain and measures to protect against these threats or mitigate vulnerabilities. Finally, this chapter ends with efforts made by the Dutch government to increase cyber security of citizens.

3.4 Vulnerabilities

Vulnerabilities are weaknesses or gaps in the cyber arena that can increase the risk of becoming a victim (victimization) of a cyber threat (TAG, 2010). There are several vulnerability factors that have been brought into connection with an increased chance of becoming a victim of a threat within the cyber domain.

Vulnerabilities may exist on two levels. The first level is the technical level, which covers weaknesses in how systems and software are built (Cankaya, 2015; Boyes, 2015). “Simple coding errors” may leave end users exposed to others wishing to exploit their vulnerability

Page 14 of 91

(Boyes, 2015, p. 29). Vulnerabilities on the technical level usually require technological solutions. However, according to the RAND Corporation, engineered solutions would not provide sufficient computer security on their own. Instead, cyber security relies more on ‘hygiene’ than hardware (Warner, 2012, pp. 784-785), where hygiene within the cyber domain pertains to adhering to established processes that reduce the risk of becoming compromised (Boyes, 2015). Cyber hygiene provides the linking factor to the second level on which vulnerabilities may exist: the non-technical level (Cankaya, 2015, p. 365).

Vulnerability on the the non-technical level pertains to non-conformity to organizational policies or procedures (Cankaya, 2015). This non-conformity, expressed in choices or behaviour, could increase the chance of being exploited by a cyber threat. In organizations, it is possible to impose penalties on employees when their behaviour deviates from regulations. However, this is not possible for citizens in their home environment (Kritzinger & Von Solm, 2010; Abawajy, 2012). Since this thesis focuses on citizens and their personal cyber security management, organizational policy is not discussed any further. However, the following section will show that there are a few policy-related measures that can lessen vulnerility on the non-technical level. Then, this chapter will go deeper into other factors that have been linked to an increased vulnerability to cyber threats, such people’s perception, awareness, and behaviour, and personal characteristics or demographics (Kritzinger & Von Solms, Reyns et al., 2016; CBS, 2015).

3.4.1 Policies and Netiquette

Organizations, schools, work environments, and similar bodies are the main entities that have a cyber security policy to instruct employees, students, or guests how they are allowed to use the internet and how they use or spread information obtained through the organization. Compliance to these policies can be forced through sanctions, but such enforcement does not exist in the home environment (Kritzinger & Von Solms, 2010; Abawajy, 2012).

Websites that require an account can employ several methods to improve privacy and security for users. Websites can enforce minimal requirements for passwords, such as length and type of characters used, and give tips on how to store passwords safely (Nadeau, 2013). These websites, but also online games, banks, or governmental institutions, provide their clients with warnings or notifications on their methods of communicating with clients, so as to lower the risk of clients falling for a phishing attempt (see for instance: Rabobank, 2016). Additionally, warnings and information concerning protection measures is strategically placed, so clients are triggered to adopt the proposed measures. All these measures can be considered as a form of policy, with password design as hard requirements and others as guidelines (Nadeau, 2013).

Page 15 of 91

Additionally, there is an informal set of rules that citizens can follow whilst browsing the internet, called netiquette. Netiquette is shorthand for ‘internet’ and ‘etiquette’ and describes the rules of conduct for browsing or communicating on webpages, forums, and other pages (Cucu, 2016). These rules are not uniform for the whole of the internet and are not legally binding; compliance cannot be forced. However, publishing a netiquette informs end users on how they can protect themselves and there has been evidence for a positive relationship on knowledge of cyber security and the adoption of cyber security measures (Cucu, 2016; Wang, 2013).

3.4.2 Routine Activity Theory

In order to be able to fully explore relevant factors that may increase vulnerability on the non-technological level, it is necessary to study explanations for how and why people may become a victim of a threat.

In the field of criminology, one of the leading theories of victimization is Routine Activity Theory (RAT). It was developed by Cohen and Felson in 1979 in order to explain the increase in crime rates after World War II (Reyns, Benson & Fisher, 2016, p. 151). RAT states that the chance of becoming a victim of a crime is determined by three factors: (1) an accessible victim, (2) a willing and capable offender, and (3) lack of a guardian who can prevent a crime. Additionally, the victim’s lifestyle and routine activities define in part whether the victim is an accessible and suitable target (Saridakis, Benson, Ezingeard & Tennakoon, 2016; Reyns et al., 2016; Jansen et al., 2013).

RAT has been proven useful to apply to study victimization of a wide range of crimes, and, to some extent, also for long distance crimes or even cybercrime (Reyns et al., 2016, pp. 151-152). However, some difficulties remain with the application of this theory for the cyber domain, as not all three factors of RAT translate perfectly to the cyber domain (Reyns et al., 2016; Jansen et al., 2013). First, according to RAT, accessibility of targets and the presence of willing and capable offenders must converge in time and space. Yet online convergence of victims and offenders contrasts greatly with convergence in the physical world, because: “the temporal overlap between victims and offenders may be lagged – either for a very short time or a longer period” (Reyns & Benson, 2016, p. 1122). Second, online presence alone is not the sole risk factor for victimization, but the online routines of potential victims were key factors for victimization (Holt & Bossler, as referenced by Reyns et al., 2016, p. 152). However, one can consider that an increase in time spent online may give an increased chance of victimization, as there is more time to engage in harmful behaviours. Dutch citizens spent four hours per day on the internet in their free time in 2011 (SCP, 2013), but according to a study from 2015, the average time for

Page 16 of 91

internet-related activities during personal time has lowered to an average of three hours per day (Wennekers, Van Troost & Wiegman, 2016).

How guardianship in the cyber domain should be defined is still unclear. When RAT was first developed, guardianship consisted of the availability or presence of a person who would be able to prevent or stop the crime from happening (Saridakis et al., 2016; Reyns et al., 2016, p. 149; Jansen et al., 2013, p. 396). However, this shows a significant paradox: “a human presence in an online environment is virtual by definition” (Reyns et al., 2016, p. 153). To solve this conundrum, scholars have studied the relationship between ‘offline guardians’ and victimization of cybercrime. For instance, Reyns and colleagues (2016) considered the effects of living arrangements on victimization, hypothesising that when people live together and feel a personal responsibility to protect one another, the chance of someone becoming a victim of a cyber threat should be low. Initial results of this study have shown that physical presence of a guardian has no effect on the chance of victimization in the cyber domain (Reyns et al., 2016). Other studies removed physical human presence from the conceptualization of guardianship, stating that security software, skills with computers, end users having ownership of personal information or at least being able to exert control over their online information will reduce the chance of becoming a victim of cybercrime (Reyns et al., 2016; Saridakis et al., 2016). However, conclusions of several studies were inconsistent and the success of this so-called ‘target hardening’ is most likely linked to the type of victimization being studied (Reyns et al., 2016, p. 154). Nevertheless, target hardening must not be disregarded as a whole, as the general population know little about the cyber domain, cyber security, or how the internet works (Naughton, 2016, p. 5-6). Basic knowledge on these topics is necessary in order for people to be able to protect themselves.

3.4.3 Perception, awareness, and behaviour (online)

As RAT proposes, certain types of behaviour on the internet have been found to increase the chance of victimization of cybercrime. Behaviour is influenced by perceptions and awareness on relevant factors, thus, as Dinev and colleagues (2009) state, “understanding user attitudes, intentions and behaviour towards protective information technologies is essential for designing effective technologies, policies and practices in order to successfully defend against the negative technologies” (p. 392).

If people lack skills needed for sufficient cyber security, their risk to become a victim of cybercrime increases (Kumar et al., 2008). However, an increased risk of victimization also arises when internet users perceive their cyber security skills to be high, because users may allow themselves to engage in risky online behaviour. Another reason could be that the

Page 17 of 91

perceived skill level may not be as high as the actual skill level of the individual. Even without behaving riskily, the level of cyber security may not be as high as the individual believes, which could cause him or her to be vulnerable for exploitation by a cybr threat (Saridakis et al., 2016). Internet users are unaware of the possible threats in the cyber domain (Kumar et al., 2008) and possible threats in the cyber domain are considered to be less serious than threats in the physical world because of the lack of possible physical harm (Henson, Reyns & Fisher, 2013). Having fear of becoming a victim of cybercrime seems to have no influence on the chance of victimization, but being aware of the risks and being aware of security measures does improve users’ cyber security (Kumer at al., 2008). When users become aware of a security breach, their intention to use protective measure increases (Dinev et al., 2009).

Users being more prone to engage in risky behaviour does increase the chance of being a victim of cyber threats or cybercrime. When users perceive to be in control of their information, but also when they can actually exert control over the accessibility of their information, the risk of victimization is lower than when they do not have this perception (Saridakis et al., 2016).

Victimization of cybercrime has been brought into connection with intensive use of knowledge exchange sites, such as LinkedIn (Jansen et al., 2013; Saridakis et al., 2016). Successful use of these websites requires users to expose a great deal of personal information. This information can then be used by individuals to steal personal information or for other motives. Using websites with a personal account, for posting on forums or messaging other users, increases visibility to people with criminal intent (Saridakis et al., 2016; Jansen et al., 2013).

Other activities that may increase the chance of victimization have to do with social media and the way people use them to share information, but this falls outside of the scope for this thesis and will therefore not be explored any further.

3.4.4 Demographic factors

Target accessibility and suitability are key factors that can increase the chance of becoming a victim, according to RAT. This paragraph shows which demographic factors have previously been found to influence victimization opportunities and focuses on citizens in the Netherlands. For the Netherlands, CBS found that victimization of cybercrime is not dependent on geographical location, nor does it matter whether someone lives in a city or in the countryside (CBS, 2015, p. 85-86). However, Europol did find that social engineering (specifically grooming) occurred more often in areas where poverty levels are high, child protection is ill organised, and where there is easy access to children (Europol, 2016, p. 10), so geographical location may be more relevant for different types of cybercrime.

Page 18 of 91

Previous studies found that gender, age, and ethnicity are irrelevant for becoming a victim of malware since the main target of cybercrime is the device and the data it contains (Jansen et al., 2013), yet for other cybercrimes these factors may be relevant. For instance, when taking gender into account, men are more often a victim of cybercrime than women, especially of hacking (CBS, 2015, p. 85-86). However, underage girls between the ages of 15 and 17 years old are victimized more often than boys of the same age (CBS, 2015, p. 96-98). Youngsters between 15 and 24 are more often a victim of cybercrime than other age groups, except for identity fraud, of which the elderly are a victim more often (Jansen et al., 2013; CBS, 2015).

Which cultural background respondents have, seems to have no significant influence on the chance of victimization, while having a high level of education showed higher risk for identity fraud, buy-and-sale fraud, and hacking. Homosexual men were more often a victim of cybercrime than heterosexual men, especially for cyber bullying (CBS, 2015, p. 85-86).

3.5 Cyber threats

As stated before, cyber threats exploit vulnerabilities and IT/ICT systems, information, and humans must be protected (TAG, 2010). In the field of cyber security, threats are often defined as cybercrime (Europol, 2016; CBS, 2015; NCSC, 2016). However, not all threats are crimes, as some threats are accidental of nature. For example, leaving security information in the open is a threat to cyber security, but can be the result of thoughtlessness instead of malicious intent (Casesa, 2016).

Both types of threat must be protected against, but of the purpose of this thesis, only threats with malicious intent are described in this chapter. This means that this part will focus on cybercrime and its typology first. The next section will then continue with protection measures that cover both cybercrime and the earlier described vulnerability measures. In practice, these protection measures will cover threats of accidental nature as well.

3.5.1 Cybercrime

Cybercrime as a concept can be understood in different ways. The Dutch institution for statistics (CBS) defines cybercrime as criminality that has to do with internet or digital information carriers (CBS, 2015, p. 75). Jansen and his colleagues (2013) and De Cuyper and Weijters (2016) provide a more comprehensive way of understanding cybercrime. They specify that cybercrime has different meanings and is dependent on which definition is used: the broad definition or the narrow definition.

The broad definition of cybercrime relates to ‘old crime’ where ICT is just the method and not the target, and it is more referred to as digitalised crime (Jansen et al., 2013, p. 394; De Cuyper &

Page 19 of 91

Weijters, 2016, p. 7). This definition corresponds with what Wall considers the ‘first generation of cybercrime’ (Wall, 2007/10; Koops, 2011). However, the development of ICT provided the opportunity for creating new forms of crime that could not have existed otherwise. This ‘third generation of cybercrime’ (Wall, 2007/10) links to cybercrime when using the narrow definition: ICT is used as a method, but is also the target (Jansen et al., 2013, p. 394; De Cuyper & Weijters, 2016, p. 7). What Wall considers the ‘second generation of cybercrime’ can be viewed as the transition period between the first and third generation.

3.5.2 Types of cybercrime

Categorising threats in the cyber domain can be done in a multitude of ways, but categorisation mostly depends on the type of actor, motivation for the crime, type of target, or method of crime (Wall, 2007/10; Koops, 2011; Goodman & Brenner, 2002; De Cuyper & Weijters, 2016). Whether a cyber threat can be considered to be a cybercrime can be concluded from the existing Code of criminal law (Koops, 2011; De Cuyper & Weijters, 2016).

Lending from the criminological perspective, Goodman and Brenner identified four categories of crime, dependent on the intended target: crimes against individuals, crimes against property, crimes against organizations, and crimes against society. These same categories can be transferred to the cyber domain as well and still focus on the intended victim, not the method of victimization (Goodman & Brenner, 2002, p. 56).

Since this thesis focuses on citizens and their personal cyber security, the central category for this paragraph will be ‘crimes against the individual’. These crimes usually result in “a direct threat to cause physical harm to the victim or the victim’s family” (Goodman & Brenner, p. 60). However, as Goodman and Brenner continue, not all threats posed online can be prosecuted as the current existing definitions do not cover the ‘prohibited results’ and are therefore not illegal (Goodman & Brenner, 2002, pp. 58-60). Especially when taking into account that the internet provided the opportunity for the development of new types of crimes – the third generation as Wall puts it (2007/10) – prevention of victimization may be as important as ever.

In the following paragraphs, the most relevant cybercrimes with citizens as their target are described. The involved are considered relevant when citizens may face victimization in their personal environment and when the crimes are specifically directed at individuals.

The specific crimes listed in this thesis, are derived from the security monitor of 2015 from CBS, Europol’s International Organised Crime Threat Assessment of 2016, and the NCSC’s “Cyber Security Beeld Nederland” from 2016. This led to the selection of: malware, payment fraud, social engineering, data breaches, network attacks, and cyber bullying. Definitions and

Page 20 of 91

descriptions of these crimes are mainly gathered from the previously mentioned reports and from the large cyber security and networking companies, such as Symantec, Cisco, and Google. Malware

Malware, sometimes called ‘malcode’, is short for malicious software or code. It pertains to threats such as viruses, worms, Trojans, adware, and bots (Cisco, n.d.; Kumar et al., 2008). Relatively new developments in this category are ransomware and cryptoware (Europol, 2016). While Europol found that cryptoware has become a more relevant threat than data theft through ‘conventional’ malware or banking Trojans, data still remains the main commodity for criminals and criminal organizations (Europol, 2016, p. 11) which consequently leaves a considerable threat formed by ‘older’ data stealing methods. This finding is supported for the Netherlands, since the National Cyber Security Centre (in Dutch: Nationaal Cyber Security Centrum, NCSC) found that Dutch citizens run the highest risk from professional criminals who direct their efforts to stealing, publishing, and selling information (NCSC, 2016, p. 12). The report also shows that the threat is severe, either because of new developments, the limited effect of existing measures, or because incidents have occurred and will continue to occur in the Netherlands. Each type of malware has its own mode of infection and reproduction to other ICT systems. Computer users are often still needed in some way to authorize installing malicious software, either by clicking e-mail attachments or downloading files from the internet that have malicious code, including macros, attached to them. Macro is short for macroinstruction: an instruction that represents a sequence of instructions (Symantec, n.d.). These instructions contain the command to download and/or install the malware. Some forms of malware are incorporated in a seemingly innocent program and are installed alongside the wanted software. Malware that does not require help from computer users takes advantage of technical deficiencies in browsers, programs, operating systems and alike. Visiting a certain website would then be enough to get infected with malware (Cisco, n.d.c).

Malware infects data, hosts or networks, with the goal to damage or steal information or to disrupt systems or information transmission. The amount of damage malware does depends on its design. Some forms of malware only cause minor annoyances, while others can open ‘back doors’ for other individuals with bad intent. Botnets may even go unnoticed. Malware used to create a botnet provides the malicious user with a connection from the infected station to a ‘command and control’ centre that in turn has connections to other (infected) devices. This network of bots, or botnet, is then used to launch large-scale attacks on servers or websites of governments, organizations, or individuals. Spyware is a form of malware that does not execute any actions on the system it has infected, but merely offers the malicious user to spy on their

Page 21 of 91

victim so as to steal personal information (Cisco, n.d.c). Ransomware and cryptoware lock data on the computer or even the computer as a whole. The user is then required to pay money (ransom) in order to regain access to their data and or system. The problem is that even after paying, data may only be partly released or may not even be released at all (Europol, 2016). Mobile devices such as smartphones and tablets have become more vulnerable to malware, and the malware that is developed to infect mobile devices has become more advanced (Europol, 2016).

Payment fraud

Personal data may be the preferred commodity for cybercriminals; money is the central motive for their crimes (Europol, 2016). Payment fraud therefore constitutes a significant cyber threat. Two categories identified by Europol are card-present fraud and card-not-present fraud. The most well-known type of card-present fraud is skimming1 _{, but this is not considered to be a} cyber threat as these crimes occur ‘offline’ (Europol, 2016).

Card-not-present fraud (CNP fraud) pertains to the unauthorised use of the victim’s credit or debit card data and other information, such as the victim’s address, when making purchases where face-to-face interaction is not necessary. These transactions are made online or occur over the telephone (Smart Card Alliance, 2014, p. 5). As technology is continuously developing, citizens are more likely to face card-not-present fraud in the future. Europol already found that card-present fraud is declining, due to success of prevention methods, and the number of unlawful card-not-present transactions has grown (Europol, 2016).

CBS involved online fraud in their study of victimization of cybercrime in 2015. While they defined it as identity fraud, their definition corresponds to the meaning of CNP fraud, namely: using someone’s personal information without their permission for financial gain. CBS found that 0.6% of Dutch citizens were the victim of identity fraud in 2015 (CBS, 2015, p. 75).

Social engineering

The significance of social engineering is that it specifically targets the – what is assumed – weakest link in the cyber security chain: the human (Abawajy, 2012). In order to lure victims into giving up private (account) information, cyber criminals send e-mails, set up websites, or make phone calls that are tailored to the prospective victim’s characteristics. Using these tactics to exploit users to act in a way that endangers them is called social engineering (Google Support,

1 _{Payment cards make use of a magnetic strip to transfer relevant bank data for transactions. Criminals}

have been able to easily copy the data available through the magnetic strips and have acquired significant sums of money through this method. Skimming has become more difficult since the implementation of pin (codes) and chips on cards (Europol, 2016).

Page 22 of 91

n.d.b; Goodchild, 2012). After obtaining the wanted information, criminals use it to commit payment fraud, extort the victim for money, or pressure them into committing illegal acts, or to persuade people to install malware (CBS, 2015; Europol, 2016; Goodchild, 2012). Phishing e-mails are a well-known method that employ social engineering. Spear phishing, a form of phishing that focuses on a single specific target, is also on the rise (Europol, 2016, pp. 32-34). Sometimes victims are convinced to transfer money into an account, with the prospect of receiving a larger sum of money in return in the near future. This specific type is called ‘advance fee fraud’ or ‘advance fee scam’ (Europol, 2016). Grooming consists building up a relationship with the intended victim, through internet forums or instant messaging services, in order to persuade them into sexual favours or to commit crimes. Grooming is often employed by child sex offenders (Europol, 2016, p. 24).

Social engineering has become more harmful, as offenders coerce and extort their victims more often after obtaining personal information or private documents. Phishing and spear phishing were reported more often and the quality of these methods has improved which makes them increasingly successful (Europol, 2016, pp. 32-34). It is difficult to identify how many people have been a victim of social engineering tactics due to several reasons. First, attributing a cybercrime to social engineering or other methods, such as malware, is difficult. For instance, people may not be aware that they are a victim, or they may not realise the crime they faced had a digital component (Leukfeldt et al., 2013). Second, statistics provided by CBS (2015) indicate that not all instances of cybercrime are reported. There are a variety of reasons for not reporting crimes. For instance, people may be unaware that they can report cybercrime to the police or they might feel that reporting cybercrime will not help (Leukfeldt et al., 2013).

Data breaches

Before computers existed or became mainstream, data breaches already existed. They consisted of unlawful access to information or files on paper, such as medical or financial records. Technological developments and the internet have made it easier for criminals to obtain personal information on a large scale, but also changed the nature of the breaches. It is no longer necessary to physically enter data storage facilities (Lord, 2016).

Data breaches still consist of unauthorized access, only now to systems or information online. These break-ins are perpetrated by what are now called hackers (Symantec, n.d.). Many instances of data breaches have been in the news recently and these attacks resulted in the theft of billions of entries of account information (for an overview going back to as far as 2004, see: http://www.informationisbeautiful.net/ visualizations/worlds-biggest-data-breaches-hacks/).

Page 23 of 91

While individual citizens may not always be the central target of data breaches, they are affected by data breaches. Their personal information becomes openly available and all accounts with the same or at least similar, account information are compromised. Compared to other forms of cybercrime, CBS found that only a relative small number (0.6%) of Dutch citizens reported to have been a victim of hacking (CBS, 2015, p. 79). However, the number may be higher in reality. Organizations may not be aware they have been hacked2 _{or people may be unaware their} personal information was stolen during a hack. Additionally, people can be unaware of attacks to their personal devices or data. This is not unsurprising. Hackers find their way to such information in several ways. They can exploit technical deficiencies of the website and its security. Hackers can make use of insecure connections on the website’s end, but also on the end of the user trying to gain access to the website. Insecure connections, such as through public Wi-Fi access points, make it easier for hackers to obtain personal information (Lord, 2016; Savvides, 2015).

Network attacks

Network attacks are most often done through Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks. As the name suggests, these attacks prevent the targets from providing the services to their consumer base. Websites become unavailable and the attacked company could stand to lose business and money, or suffer a reputation loss (Incapsula, n.d.; Symantec, n.d.; Europol, 2016).

A DoS attack is perpetrated through one internet connection to exploit vulnerabilities in software or to flood a target with fake requests in order to overload servers. DDoS attacks make use of multiple devices and multiple connections to the internet. Because the volume of DDoS attacks is much higher than DoS attacks, DDoS attacks are much more difficult to mitigate. DDoS attacks are often deployed through the aforementioned botnets. DoS and DDoS attacks result in limited availability of websites or even server crashes. Defending against a DoS or DDoS attack is not possible, but citizens could try and prevent to become a part of a botnet by preventing malware infection (Incapsula, n.d.).

A recent attack in the United States showed how botnets no longer only connect computers, laptops, or smartphones, but also devices such as digital video recorders, printers, cameras, baby monitors, fridges and other household appliances (Ryall & Abbruzzese, 2016). These devices are part of the Internet of Things (IoT).

2 _{However, when organizations become aware of a hack, they have the duty to report the hack to the}

‘Autoriteit Persoonsgegvens’ in the Netherlands since 1 January 2016. See: https://autoriteitpersoons gegevens.nl/nl/ onderwerpen/beveiliging/meldplicht-datalekken

Page 24 of 91

The IoT is a relative new concept and pertains to devices that are equipped with the necessary properties to communicate, but can also sense, actuate, and capture, store, and process data (ITU, 2012, p. 4). The data can be communicated to other devices on the network, or the devices initiate action based on the data they record. For these actions, IoT devices no longer need human-to-computer or computer-to-computer interaction, as the data itself triggers actions to be performed by the devices (ITU, 2012, p. 4). The devices that are a part of the IoT are often incorporated in almost all facets of everyday life. There is a risk in this. According to Naughton (2016, p. 5), people are not interested to learn how these devices work and they take such items for granted. Being unaware of how things work may lead to an unawareness of the security breaches such items may pose (Naughton, 2015, p.5).

As a response to the recent attack in the United States, a parliament member in the Netherlands called for official security standards on European level for devices that are part of the IoT. The European Commission is already conducting research into this, but developing and implementing such standards will take a long time. In the meantime, the same parliament member believes that a form of certification for secure devices would be of value, in order to show consumers which products are safe to use (Kraan, 2016).

Cyber bullying

Other threats citizens in the Netherlands can face are cyber bullying, cyber stalking, or cyber extortion, or threats of violence in real life situations. Bullying is definitely not a new concept and it is not a part of the third generation cybercrimes, but about 3.2% of Dutch citizens have been a victim of some form of cyber bullying in 2015 (CBS, 2015, p. 80). This means that cyber bullying is still a relevant threat to Dutch citizens, especially because repeated victimization is relatively high compared to other cybercrimes (CBS, 2015, p. 80). In the Netherlands, in extreme cases, bullies violate the law and can be prosecuted (Stop Pesten Nu, n.d.).

3.6 Protection measures

There are several ways for individuals to prevent cyber security risks or to protect themselves against cybercrime or accidental threats, or to mitigate vulnerabilities. Protection measures can be either technology or non-technology related. The protection measures described in this chapter have been found to be effective to mitigate cyber security risks, are commonly applicable in the home environment of citizens, and their implementation can be achieved by laymen.

Installing updates and patches regularly

Harmful techniques keep evolving and protection measures should keep up with the developments. The main technology-related protection measure has to do with installing

Page 25 of 91

updates and patches, which are bits of software that improve quality of the software package (Symantec, n.d.). Updates and patches are sometimes necessary to keep the program suitable for newly developed devices or to install new features of software, but updates and patches also improve the security of software (Symantec, n.d.; Cisco, n.d.b).

Updating software and installing patches has been made easy by software developers, as users get an automatic message when updates are available. The problem is that users often do not install updates and patches, or even avoid them (Dinev et al., 2009).

Using secure Wi-Fi connection

Wi-Fi is wireless technology that is used to connect devices to each other and to the internet through radio waves. The problem is that radio waves can be intercepted by people with the proper equipment (“sniffing”). One possible solution to this is securing the Wi-Fi connection with a password. Externals without the password will not be able to read the signal (Cisco, n.d.b; Savvides, 2015).

When connected to public Wi-Fi, with or without password, there are ways to intercept other people’s online activities. This can be partly prevented by using websites that use HTTPS instead of HTTP, though ‘break-ins’ between a website’s server and device (“man-in-the-middle attack”) are still possible. Another possibility is to use VPN, which is a Virtual Private Network. VPN will encrypt traffic between devices and the server which will make it nearly impossible to ‘sniff’ traffic on a connection. Using a VPN requires a specific set-up and usually a subscription with a VPN provider (Savvides, 2015). This is a slightly more complicated protection measure and may not be known to all citizens.

Implementation of firewall software

A firewall recognises illegitimate traffic based on internet connection state, port, and protocol. This way, the firewall protects computers or other IT systems against possible harmful traffic on connections from the device to the internet, or from the internet to the device (Cisco, n.d.a; Kumar et al., 2008). What a firewall filters out is based on configuration choices made by the administrator, but is also based on context “which refers to using information from previous connections and packets belonging to the same connection” (Cisco, n.d.a).

When a firewall protects against connection from outside of the secure network, it is hardly noticeable by the user. However, when certain activities from the device to the internet are perceived as possibly harmful, the firewall may cause a warning to pop up. As this interferes with a user’s ease of use, he or she may block (some of) the firewall’s functios (Kumar et al., 2008).

Page 26 of 91 Having antivirus software

Antivirus software is easier to install and use than firewalls are (Kumar et al., 2008). Antivirus software protects devices by detecting harmful software such as viruses and worms (Cisco, n.d.; Kumar et al., 2008).

Updates and patches are also relevant for antivirus software as they include so-called definitions for malware and similar risks.

Using a password protocol

As data is a valuable commodity for cybercriminals, it is important for citizens to design and store their passwords securely. Secure passwords are unique for each account, do not use personal information or common words, and consist of a mix of letters, numbers, and symbols (Google Support, n.d.a).

Storing passwords on paper is risky, as they are easily stolen. All accounts that have the same passwords could be compromised. Passwords can be stored on a file on the computer, but are most safely stored in a password manager (Google Support, n.d.a).

Regular backup protocol

When the previously mentioned protection measures are not sufficient and someone finds themselves the victim of malware, they might need to reinstall their computer. In the case of an infection by cryptoware or ransomware, the user might lose access to their personal files. Having a recent backup of their data could lessen the amount of data lost, or even mitigate data loss entirely (Hong Kong Government, 2016).

This measure has more to do with getting back up after an attack (resilience), than with protection before an attack (awareness). However, since malware is still a considerable threat, continuous technological development and the notion that absolute security is impossible (Baldwin, 1997), it may be one of the most important measures for citizens.

3.7 Government efforts to increase cyber security of Dutch citizens

The Dutch government considers it their responsibility to provide security in the cyber domain, for both consumers and organizations (NCSC, 2016, p. 18). For this reason several initiatives have been developed and/or supported by the government with the goal to improve knowledge of cyber security and to evoke cyber secure behaviour in citizens. The initiatives so far consist mostly of raising citizen awareness against methods of cybercrime and the ways to check whether suspicious activity is real or how to protect oneself against cybercrime. (NCSC, 2016; TNS, 2016; ECP, 2014).

Page 27 of 91

One Dutch initiative of the government, the private sector, and non-governmental organizations, is called Alert Online (https://www.alertonline.nl). The goal for this campaign is to create awareness for online safety, to expand knowledge of cyber security, and to stimulate and help with cyber secure behaviour (ECP, 2014; TNS, 2016).

The website Veiliginternetten.nl (https//www.veiliginternetten.nl) has another initiative of the Dutch government, the private sector, and non-governmental organizations. If citizens wish to gather more information about how they can protect themselves online or how to protect their computers, they can find the necessary information here. However, the problem is that if the user is not aware of their lack of knowledge on cyber security, they will not search online for such websites (Kritzinger & Von Solms, 2010, p. 843).

Other problems can be: the developed programmes are not comprehensive enough, they might not include all relevant cyber security issues, they only provide limited beginner’s information, or are not regularly updated to fit with emerging (technological) trends (Kritzinger & Von Solms, 2010).

3.8 Concluding the literature review

The literature review showed that the cyber security domain is subject to constant (technological) developments and that ICT systems are becoming a target for cybercrime more often. Cyber security can be defined as the protection of ICT systems, the information stored on or transmitted by these systems, and the humans and their interests who make use of these systems and/or information.

Cyber security risks exist when there is a chance that IT/ICT or information face destruction, damage or loss, or when humans sustain damage or loss as a result of misuse or corrupt information. Humans are often considered to be the weakest link in the cyber security chain and their awarennes and knowledge should be increased, so they can improve their cyber security situation.

Vulnerabilities can exist on two levels: the technical level and the non-technical level. The technological level often requires technological solutions, but adequate cyber security levels often depend on ‘cyber hygiene’, thus behaviour. Personal characteristics have been brought into connection with victimization as well.

In order to define and structure vulnerability factors on the non-technological level, the Routine Activity Theory can be useful. RAT originates from the criminological domain, but has been applied to the cyber domain. The theory explains why people may become a victim of a cyber threat. RAT defines several factors: (1) a suitable and accessible victim, (2) a willing and capable

Page 28 of 91

offender, and (3) lack of a guardian who can prevent a crime. Additionally, the victim’s lifestyle and routine activities define in part whether the victim is an accessible and suitable target. The willing offender and his or her convergence with the victim are difficult to determine and do not relate to the goal of this study. These two topics are not discussed further in this thesis. The suitability and accessibility of the victim seem to rely on several characteristics and behaviour or perceptions.

First, in the Netherlands, the statistics for victimization of cybercrime vary among gender and age. Cultural background and geographical location (within the Netherlands) seem to have little to no influence on chance of victimization. However, citizens who have finished a higher education, become a victim of cybercrime more often than citizens with a lower education background. A direct link between time spent online and the chance of becoming a victim of cybercrime has not been found, but logically can be considered as a risk enhancer as there is more time to become exposed to cyber threats.

H1: The respondents who finished a higher level of education, have a higher count of previous victimization than respondents who finished a lower level of education.

H2: The more time respondents spend online, the higher the level of previous victimization. Second, the chance of victimization also increases when citizens have no security measures in place, which can be caused by limited IT skills or lack of knowledge on both protection measures and threats. Additionally, risky online behaviour, (lack of) awareness, and perceptions of citizens have been brought into connection with a higher degree of victimization. When people believe their skills to be high, they are prone to becoming a victim of cybercrime as they might engage in risk-increasing behaviour. If internet users perceive to be in control of their personal data (and when they have actual control), their chance of becoming a victim of cybercrime is found to be lower. When people have become a victim, their intention to employ protection measures has been found to increase.

H3: Respondents who perceive their cyber security skills to be high, have a higher count of previous victimization to cybercrime than respondents who perceive their skills to be low. H4: Respondents who feel in control of their personal data have a lower count of previous victimization to cybercrime than respondents who do not feel that way.